CYBER BREACH FALLOUT
2015_Fall_Winter_USLAW-Magazine
2015_Fall_Winter_USLAW-Magazine
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
34 www.uslaw.org USLAW<br />
<strong>CYBER</strong>SECURITY<br />
The New<br />
Professional Risk<br />
PART 2 OF 4: KEEPING CUSTOMERS’ DATA CLOSE TO THE VEST – <strong>CYBER</strong>SECURITY<br />
CHALLENGES IN THE RETAIL, RESTAURANT AND HOSPITALITY INDUSTRY<br />
The recent cyberattacks on large corporations<br />
such as Neiman Marcus, Target,<br />
eBay and Home Depot have brought cybersecurity<br />
to the forefront of mainstream pop<br />
culture, as the data stolen from these retailers<br />
exposed the personal identifiable information<br />
of millions of customers. Stolen<br />
credit card data typically is posted online<br />
and sold on the black market at prices ranging<br />
from $3 per Social Security number to<br />
as much as $1,000 per bank account login.<br />
While these figures seem modest,<br />
when multiplied by<br />
the millions affected, the<br />
financial and reputational<br />
damage inflicted<br />
can easily ruin any business.<br />
In fact, once a retailer<br />
suffers a major breach, consumer<br />
confidence drops, resulting<br />
in a significant drop<br />
in profit. As the total average<br />
cost of a data breach is now<br />
$3.8 million, up from $3.5<br />
million the previous year, the<br />
question facing companies is<br />
not only how to prevent a cyberattack,<br />
but how to position<br />
themselves to sufficiently and<br />
quickly respond to same. In the<br />
second of a four-part series<br />
touching on various professional,<br />
business and insurance sectors, this article<br />
discusses cybersecurity and compliance issues<br />
facing the retail, restaurant and hospitality<br />
(RRH) industry in today’s rapidly<br />
evolving technological climate.<br />
TYPES OF DATA <strong>BREACH</strong>ES<br />
AFFECTING THE RETAIL, RESTAURANT<br />
AND HOSPITALITY INDUSTRY<br />
The number of reported data security<br />
breaches continues to increase while the<br />
types of breaches are becoming more diverse<br />
and sophisticated. Retail companies are<br />
often targeted by cyber criminals because<br />
they possess voluminous financial data across<br />
their chain of stores throughout the country<br />
Karen Painter Randall and Steven A. Kroll<br />
Connell Foley LLP<br />
and overseas. Often these companies are victims<br />
of Point-of-Sale malware. In general,<br />
there are three basic types of data security<br />
breaches that affect the RRH industry and<br />
lead to the compromise of a business’ data:<br />
physical breach, electronic breach and<br />
skimming. The following is a brief<br />
overview of each type of<br />
breach.<br />
PHYSICAL<br />
<strong>BREACH</strong><br />
The first type of data<br />
breach affecting businesses in the<br />
RRH industry relates to a physical breach.<br />
This involves the physical theft of documents<br />
or equipment containing cardholder account<br />
data, such as cardholder receipts, files, PCs<br />
and Point-of-Sale terminals. A physical breach<br />
can also involve terminal scams wherein an<br />
individual attempts to tamper with merchant<br />
Point-of-Sale terminals in order to gain access<br />
to card data contained in the device or to perpetrate<br />
fraud using the device. For example,<br />
a terminal scam may include phone calls received<br />
by merchants in which the caller attempts<br />
to reprogram client terminals.<br />
Some best practices for a business in the<br />
RRH industry to employ to help prevent a<br />
physical data breach include: having a detailed<br />
security strategy that involves monitoring<br />
employees who use Point-of-Sale<br />
terminals and conveying clearly defined restrictions<br />
to them; installing cameras at computer<br />
room entrances and exits as well as<br />
check-out lanes where Point-of-Sale terminals<br />
are positioned; defining procedures<br />
to monitor the cameras<br />
and corporate networks and<br />
keep recorded footage for a<br />
reasonable period of time;<br />
requiring ID badges<br />
for access to sensitive<br />
data centers;<br />
and maintaining a<br />
log of visitors to<br />
sensitive facility<br />
areas.<br />
ELECTRONIC<br />
<strong>BREACH</strong><br />
A second type of<br />
breach affecting the<br />
RRH industry is an electronic<br />
breach. This involves<br />
the unauthorized<br />
access or deliberate attack on a system or<br />
network environment (at a business or its<br />
third-party processor) where cardholder<br />
data is processed, stored or transmitted.<br />
This can be the result of acquiring access,<br />
via Web servers or Web sites, to a system’s<br />
vulnerabilities through application-level attacks.<br />
Some examples of system vulnerabilities<br />
include unsecured remote access, lack<br />
of proper password management, and lack<br />
of proper access restrictions to cardholder<br />
data systems.<br />
There are a number of methods used<br />
by hackers in the case of an electronic data<br />
breach. For example, a “packet sniffer” is an<br />
application that intercepts and logs traffic<br />
passing over a digital network or part of a<br />
network. This is a standard tool that has<br />
been used in network troubleshooting and<br />
analysis for many years. Unfortunately, this